From 482a41f5f3ca7cabd99574c990d2e0c5f0b0ca90 Mon Sep 17 00:00:00 2001 From: BK Box Date: Mon, 18 May 2026 11:22:58 -0500 Subject: [PATCH 1/2] feat: add submodule checkout --- .github/README.md | 21 +++++++++++++ .github/actions/checkout-repo/action.yml | 33 ++++++++++++++++++++ .github/workflows/docker-build-push.yml | 39 ++++++++++++++++++++++-- 3 files changed, 90 insertions(+), 3 deletions(-) create mode 100644 .github/actions/checkout-repo/action.yml diff --git a/.github/README.md b/.github/README.md index d406681..47d1d31 100644 --- a/.github/README.md +++ b/.github/README.md @@ -8,6 +8,7 @@ This file documents the **OCI / Docker / Helm** composites and their callable wo | Kind | Path | Purpose | |------|------|---------| +| Composite | `.github/actions/checkout-repo` | Caller checkout with optional private **recursive submodules** (GitHub App) | | Composite | `.github/actions/docker-build-push` | ECR private/public OIDC or registry login; **Buildx** + QEMU, or **Warp** | | Composite | `.github/actions/helm-publish-oci` | Non-PR Helm **OCI** publish (lint, push) via registry token or AWS OIDC (ECR) | | Composite | `.github/actions/slack-notify-failure` | Small Slack failure step (`ravsamhq/notify-slack-action`) | @@ -53,6 +54,26 @@ jobs: runs-on-arm64: ubuntu-24.04-arm ``` +**Callable** — Docker with private submodules (`vars.APP_ID` + `secrets.APP_KEY` on the **caller** repo): + +```yaml +jobs: + image: + uses: FuelLabs/github-actions/.github/workflows/docker-build-push.yml@v1.0.0 + secrets: inherit + with: + auth-mode: ecr-oidc + aws-role-arn: ${{ secrets.AWS_ROLE_ARN }} + dockerfile: Dockerfile + image: 123.dkr.ecr.us-east-1.amazonaws.com/myapp-service + build-backend: native + checkout-submodules: true + checkout-app-repositories: | + fuel-o2 + my-app + my-submodule-repo +``` + **Callable** — Docker to ECR Public (OIDC): ```yaml diff --git a/.github/actions/checkout-repo/action.yml b/.github/actions/checkout-repo/action.yml new file mode 100644 index 0000000..701312e --- /dev/null +++ b/.github/actions/checkout-repo/action.yml @@ -0,0 +1,33 @@ +name: Checkout caller repository +description: > + Checkout the consumer repository. When submodules is true, mints a GitHub App token + (vars.APP_ID + APP_KEY env) and checks out submodules recursively for private deps. + +inputs: + submodules: + description: 'true | false — recursive submodule checkout with GitHub App auth' + required: false + default: 'false' + app-repositories: + description: Multiline repository names for create-github-app-token + required: false + default: '' + +runs: + using: composite + steps: + - name: Create GitHub App token + if: inputs.submodules == 'true' + uses: actions/create-github-app-token@v2 + id: app-token + with: + app-id: ${{ vars.APP_ID }} + private-key: ${{ env.APP_KEY }} + owner: ${{ github.repository_owner }} + repositories: ${{ inputs.app-repositories }} + + - name: Checkout + uses: actions/checkout@v4 + with: + submodules: ${{ inputs.submodules == 'true' && 'recursive' || 'false' }} + token: ${{ inputs.submodules == 'true' && steps.app-token.outputs.token || github.token }} diff --git a/.github/workflows/docker-build-push.yml b/.github/workflows/docker-build-push.yml index 860ceb2..0241544 100644 --- a/.github/workflows/docker-build-push.yml +++ b/.github/workflows/docker-build-push.yml @@ -110,6 +110,18 @@ on: If empty, a 16-char hash of inputs.image is used. required: false default: '' + checkout-submodules: + type: boolean + description: > + Checkout private git submodules before build (GitHub App: caller vars.APP_ID + secrets.APP_KEY). + default: false + checkout-app-repositories: + type: string + description: > + Multiline repo names for create-github-app-token (include caller + submodule repos). + Required when checkout-submodules is true. + required: false + default: '' secrets: REGISTRY_USERNAME: description: Username for registry-login (omit for pure ECR OIDC) @@ -122,6 +134,9 @@ on: Optional. WarpBuild API key for Docker Builders when runs-on is not a WarpBuild runner (see https://www.warpbuild.com/docs/ci/docker-builders). required: false + APP_KEY: + description: GitHub App private key (required when checkout-submodules is true) + required: false outputs: image: description: Repository/image name without tag (inputs.image — stable across native-merge and Warp) @@ -219,7 +234,13 @@ jobs: fail-fast: false matrix: ${{ fromJSON(needs.native-plan.outputs.matrix) }} steps: - - uses: actions/checkout@v4 + - name: Checkout repository + uses: FuelLabs/github-actions/.github/actions/checkout-repo@master + env: + APP_KEY: ${{ secrets.APP_KEY }} + with: + submodules: ${{ inputs.checkout-submodules && 'true' || 'false' }} + app-repositories: ${{ inputs.checkout-app-repositories }} - name: Derive platform pair id: platform @@ -461,7 +482,13 @@ jobs: fail-fast: false matrix: ${{ fromJSON(needs.warp-multi-plan.outputs.matrix) }} steps: - - uses: actions/checkout@v4 + - name: Checkout repository + uses: FuelLabs/github-actions/.github/actions/checkout-repo@master + env: + APP_KEY: ${{ secrets.APP_KEY }} + with: + submodules: ${{ inputs.checkout-submodules && 'true' || 'false' }} + app-repositories: ${{ inputs.checkout-app-repositories }} - name: Derive platform pair id: platform @@ -643,7 +670,13 @@ jobs: digest: ${{ steps.warp-push.outputs.digest }} metadata: ${{ steps.docker-meta.outputs.metadata }} steps: - - uses: actions/checkout@v4 + - name: Checkout repository + uses: FuelLabs/github-actions/.github/actions/checkout-repo@master + env: + APP_KEY: ${{ secrets.APP_KEY }} + with: + submodules: ${{ inputs.checkout-submodules && 'true' || 'false' }} + app-repositories: ${{ inputs.checkout-app-repositories }} - name: Login and Docker metadata id: docker-meta From 28db1d093504a31e6b68cd7ef193e03da7a97696 Mon Sep 17 00:00:00 2001 From: BK Box Date: Mon, 18 May 2026 11:33:54 -0500 Subject: [PATCH 2/2] fix: pass app id --- .github/README.md | 2 +- .github/actions/checkout-repo/action.yml | 8 ++++++-- .github/workflows/docker-build-push.yml | 5 ++++- 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/.github/README.md b/.github/README.md index 47d1d31..17a6f27 100644 --- a/.github/README.md +++ b/.github/README.md @@ -54,7 +54,7 @@ jobs: runs-on-arm64: ubuntu-24.04-arm ``` -**Callable** — Docker with private submodules (`vars.APP_ID` + `secrets.APP_KEY` on the **caller** repo): +**Callable** — Docker with private submodules (set `vars.APP_ID` + `secrets.APP_KEY` on the **caller** repo; the reusable workflow passes `vars.APP_ID` into the checkout composite): ```yaml jobs: diff --git a/.github/actions/checkout-repo/action.yml b/.github/actions/checkout-repo/action.yml index 701312e..7894c24 100644 --- a/.github/actions/checkout-repo/action.yml +++ b/.github/actions/checkout-repo/action.yml @@ -1,13 +1,17 @@ name: Checkout caller repository description: > Checkout the consumer repository. When submodules is true, mints a GitHub App token - (vars.APP_ID + APP_KEY env) and checks out submodules recursively for private deps. + (app-id input + APP_KEY env) and checks out submodules recursively for private deps. inputs: submodules: description: 'true | false — recursive submodule checkout with GitHub App auth' required: false default: 'false' + app-id: + description: GitHub App ID (pass vars.APP_ID from the calling workflow) + required: false + default: '' app-repositories: description: Multiline repository names for create-github-app-token required: false @@ -21,7 +25,7 @@ runs: uses: actions/create-github-app-token@v2 id: app-token with: - app-id: ${{ vars.APP_ID }} + app-id: ${{ inputs.app-id }} private-key: ${{ env.APP_KEY }} owner: ${{ github.repository_owner }} repositories: ${{ inputs.app-repositories }} diff --git a/.github/workflows/docker-build-push.yml b/.github/workflows/docker-build-push.yml index 0241544..c1a6087 100644 --- a/.github/workflows/docker-build-push.yml +++ b/.github/workflows/docker-build-push.yml @@ -113,7 +113,7 @@ on: checkout-submodules: type: boolean description: > - Checkout private git submodules before build (GitHub App: caller vars.APP_ID + secrets.APP_KEY). + Checkout private git submodules before build (GitHub App: caller repo vars.APP_ID + secrets.APP_KEY). default: false checkout-app-repositories: type: string @@ -240,6 +240,7 @@ jobs: APP_KEY: ${{ secrets.APP_KEY }} with: submodules: ${{ inputs.checkout-submodules && 'true' || 'false' }} + app-id: ${{ vars.APP_ID }} app-repositories: ${{ inputs.checkout-app-repositories }} - name: Derive platform pair @@ -488,6 +489,7 @@ jobs: APP_KEY: ${{ secrets.APP_KEY }} with: submodules: ${{ inputs.checkout-submodules && 'true' || 'false' }} + app-id: ${{ vars.APP_ID }} app-repositories: ${{ inputs.checkout-app-repositories }} - name: Derive platform pair @@ -676,6 +678,7 @@ jobs: APP_KEY: ${{ secrets.APP_KEY }} with: submodules: ${{ inputs.checkout-submodules && 'true' || 'false' }} + app-id: ${{ vars.APP_ID }} app-repositories: ${{ inputs.checkout-app-repositories }} - name: Login and Docker metadata